A breach of AT&T that exposed “nearly all” of the company’s customers may have included records related to confidential FBI sources, potentially explaining the bureau’s new embrace of end-to-end encryption.

The United States telecom giant AT&T disclosed a breach in July involving call and text messaging logs from six months in 2022 of “nearly all” its more than 100 million customers. In addition to exposing personal communication details for a slew of individual Americans, though, the FBI has been on alert that its agents’ call and text records were also included in the breach. A document seen and first reported by Bloomberg indicates that the bureau has been scrambling to mitigate any potential fallout that could lead to revelations about the identities of anonymous sources connected to investigations.

The breached data didn't include the content of calls and texts, but Bloomberg reports that it would have shown communication logs for agents' mobile numbers and other phone numbers they used during the six months period. It is unclear how widely the stolen data has spread, if at all. WIRED reported in July that after the hackers attempted to extort AT&T, the company paid $370,000 in an attempt to have the data trove deleted. In December, US investigators charged and arrested a suspect who reportedly was behind the entity that threatened to leak the stolen data.

The FBI tells WIRED in a statement: “The FBI continually adapts our operational and security practices as physical and digital threats evolve. The FBI has a solemn responsibility to protect the identity and safety of confidential human sources, who provide information every day that keeps the American people safe, often at risk to themselves.”

AT&T spokesperson Alex Byers says in a statement that the company “worked closely with law enforcement to mitigate impact to government operations” and appreciates the “thorough investigation” they conducted. “Given the increasing threat from cybercriminals and nation-state actors, we continue to increase investments in security as well as monitor and remediate our networks,” Byers adds.

The situation is surfacing amid ongoing revelations about a different hacking campaign perpetrated by China's Salt Typhoon espionage group, which compromised a slew of US telecoms, including AT&T. This separate situation exposed call and text logs for a smaller group of specific high-profile targets, and in some cases included recordings as well as information like location data.

As the US government has scrambled to respond, one recommendation from the FBI and the Cybersecurity and Infrastructure Security Agency has been for Americans to use end-to-end encrypted platforms—like Signal or WhatsApp—to communicate. Signal in particular stores almost no metadata about its customers and would not reveal which accounts have communicated with each other if it were breached. The suggestion was sound advice from a privacy perspective, but was very surprising given the US Justice Department's historic opposition to the use of end-to-end encryption. If the FBI has been grappling with the possibility that its own informants may have been exposed by a recent telecom breach, though, the about-face makes more sense.

If agents were following protocol for investigative communications strictly, though, the stolen AT&T call and text logs shouldn't pose a big threat, says former NSA hacker and Hunter Strategy vice president of research Jake Williams. Standard operating procedure should be designed to account for the possibility that call logs could be compromised, he says, and should require agents to communicate with sensitive sources using phone numbers that have never been linked to them or the US government. The FBI could be warning about the AT&T breach out of an abundance of caution, Williams says, or it may have discovered that agents' mistakes and protocol errors were captured in the stolen data. “This wouldn't be a counterintelligence issue unless someone was not following procedure,” he says.

Williams adds, too, that while the Salt Typhoon campaigns are only known to have impacted a relatively small group of people, they affected many telecoms, and the full impact of those breaches still may not be known.

“I worry about the FBI sources who might have been affected by this AT&T exposure, but more broadly the public still doesn't have a full understanding of the fallout of the Salt Typhoon campaigns,” Williams says. “And it seems that the US government is still working on getting a grasp of that as well.”

Hackers Likely Stole FBI Call Logs From AT&T That Could Compromise Informants

New order mandates securing the federal software supply chain and communications networks, as well as deploying AI tools to protect critical infrastructure from cyberattacks — but will the Trump administration follow through?

Source: UPI via Alamy Stock Photo

As President Biden prepares to hand over the government to the incoming Trump administration, he has issued a new cybersecurity executive order (EO) outlining an aggressive cyber-defense plan for today's most dangerous national cyber threats — including China, and rampant software supply chain vulnerabilities across government and the private sector.

Sweeping and ambitious, the EO reads like a detailed US cybersecurity status report from the Biden administration, focused on laying groundwork for the incoming team. And with threats on the rise across the world, party affiliation and partisan predilections aside, America and Americans' cybersecurity relies on a smooth handoff from Biden to Trump, experts say.

The signs are positive so far. The order is a reflection of a forthright and responsible transition to the Trump administration, according to Tom Cross, a cybersecurity strategist at WitFoo.

"Cybersecurity is not a partisan issue — everyone in the United States has a shared interest in protecting our nation against foreign cyber threats, such as spying and network disruption," Cross wrote in a statement responding to the new Biden cybersecurity executive order. "By issuing this EO now, the Biden administration is able to put its best thinking on these topics in motion, giving the Trump administration time to put new leaders in place and develop its strategy going forward.”

The EO is a bookend to Biden's 2021 cybersecurity executive order, issued early in his term, and reflects a country plagued by a new set of geopolitical adversaries armed with increasingly sophisticated technology, including generative artificial intelligence (GenAI).

The order acknowledges the brazen rise in malicious cyber activity from China, including breaches of the US Treasury and at least nine telecommunications networks in a vast espionage operation carried out by Salt Typhoon and other advanced persistent threats (APTs) sponsored by the Chinese government. While the EO only covers federal agencies, the Biden administration has long used federal cybersecurity policies and resources as a way to push the private sector into adopting more secure standards in turn.

"The Biden administration’s latest cyber executive order is focused on securing critical infrastructure, adopting AI for defense, and transitioning to post-quantum cryptography with an ambitious agenda," Andrew Borene, executive director of global security for Flashpoint and a former Office of the Director of National Intelligence (ODNI) senior official, tells Dark Reading. "However, the real power of this executive order may lie in its ability to institutionalize some best practices as American multinational businesses and government agencies face a new Cold War's dangerous digital environment."

**Securing the Federal Software Supply Chain, Cloud, Space**

Biden's latest EO starts with the federal software supply chain, mandating that agencies develop secure software acquisition standards and only do business with software vendors that can attest to secure development practices and provide evidence of compliance with those standards. Within the next 60 days, a consortium is ordered to be convened, including the cecretary of commerce and National Institute of Standards and Technology (NIST) officials, to develop those standards, which will include practices, procedures, controls, and implementation examples, according to the EO.

Federal agencies were also ordered to implement NIST supply chain risk management practices. The Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) will evaluate how to securely manage open source software inside federal networks.

Biden's order additionally addresses emerging attack surfaces across the federal government, including cloud and space/satellite systems, and calls for the implementation of identity and access management (IAM) practices across agencies.

On the cloud front, the order mandates that FedRAMP marketplace service providers such as Google or Amazon provide federal agencies with recommendations on cloud configuration.

"I am particularly happy to see that cloud providers will be required to publish information to clients on how to operate securely," Chris Hauk, consumer privacy champion at Pixel Privacy, wrote in a statement. "Too many data breaches have been due to misconfigured cloud data buckets, many times leaving the data stored in those buckets open to anyone with an Internet connection and a little bit of knowledge."

Space systems meanwhile are ordered to receive continuous analysis to ensure US systems are keeping up with the latest threats, the EO explained.

"As cybersecurity threats to space systems increase, these systems and their supporting digital infrastructure must be designed to adapt to evolving cybersecurity threats and operate in contested environments," the EO reads. "In light of the pivotal role space systems play in global critical infrastructure and communications resilience, and to further protect space systems and the supporting digital infrastructure vital to our national security, including our economic security, agencies shall take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions including continuous assessments, testing, exercises, and modeling and simulation."

**Securing Federal Communications**

China's espionage activities have highlighted the need to secure federal communications networks, according to the EO. The Biden administration thus has established guidelines for shoring up communications network cybersecurity, including implementing identity controls, encrypting DNS traffic, and encrypting all emails, voice, video, and messaging.

Regarding cryptography, the Biden EO said new rules for protecting and auditing cryptographic keys will be developed by NIST. Further, agencies should require post-quantum cryptography, where applicable, the EO states.

These cryptography and authentication controls requirements are also applicable to other critical national security systems, Flashpoint's Borene points out.

"From energy grids to satellites, the directive emphasizes the need to secure the systems that underpin our national security and daily life," he adds. "The push for universal encryption and authentication protocols is particularly timely, given the frequency and scale of recent attacks."

**Unleashing AI to Secure Critical Infrastructure**

Artificial Intelligence must be deployed to protect US critical infrastructure from cyberattack, according to the Biden EO. The order establishes a program to explore the use of AI to bolster US cyber defenses and push for additional research.

And indeed, AI will place an increasing role in protecting the US from cyberattacks in the future, according to Christian Geyer, CEO and founder of Actfore.

"While it's crucial to recognize the expanding attack surface that AI may bring, we can be optimistic about the incredible potential it holds for enhancing security and efficiency," Geyer wrote in a statement. "The main challenge lies in navigating the complexities of government processes, but with the right approach, these challenges can be overcome, ensuring that technology initiatives are both effective and secure."

Ransomware and the development of digital identification for secure online transactions are also included in the Biden administration's cybersecurity wish list.

The EO is clearly comprehensive and wide-ranging. But without buy-in from Trump's cyber team, many of the EO's efforts could be stymied, researchers warn. It's unclear for now how it will go.

The Trump administration has already signaled a distaste for regulation, and put it into practice throughout Trump's first term, according to Coleman Mehta, head of global public policy and strategy at Infoblox. Yet, he was willing to build on previous cybersecurity policies from the Obama administration.

"Similarly, President Biden often built on policies set by Trump," Mehta tells Dark Reading. "The fundamentals of that continuity should stay the same; focus on the threat from Chinese cyber adversaries, strengthen supply chain security, and continue to build public-private collaboration."

During his recent Senate confirmation hearings for secretary of state, Sen. Marco Rubio (R-Fla.) indicated an interest in seeing policy changes that address the global cyber supply chain threat, Flashpoint's Borene points out.

"Looking ahead, the new administration inherits a world of rapidly escalating state threats from adversaries like China, Russia, Iran, along with a growing network of cyber proxies and even transnational criminal extortion groups," Borene says. "A well-executed handoff of some of the executive order’s provisions could bolster US cyber defenses at a time when proactive information security has never been more critical."

Biden's Cybersecurity EO Leaves Trump a Comprehensive Blueprint for Defense

PRESS RELEASE

SALT LAKE CITY — January 13, 2025 — Ivanti, the software company that breaks down barriers between IT and security so that Everywhere Work can thrive, has appointed seasoned tech leader, Karl Triebes, as Chief Product Officer. In his new role, Triebes will focus on ensuring that Ivanti’s product strategy aligns with the company’s long-term goals, drives innovation, and enhances customer satisfaction.

Triebes’ appointment comes at a pivotal time for Ivanti, as the company continues to expand its footprint in the IT management and security landscape. His extensive experience and visionary approach are expected to ensure the company remains at the forefront of delivering high-quality technology solutions.

“I am thrilled to join Ivanti at such an exciting time in the company’s journey,” said Karl Triebes. “Ivanti's commitment to innovation and customer-centric approach align perfectly with my vision for product development. I look forward to working with the talented team at Ivanti to drive our product strategy forward, enhance our engineering capabilities, and deliver exceptional solutions to our customers.”

He joins Ivanti with over 30 years of extensive experience in technology leadership and product development. Throughout his career, Karl has held pivotal roles in several high-profile technology companies such as F5, Amazon and Imperva. In these positions, he has consistently demonstrated a strong prowess in engineering, product strategy, and driving business growth. His seasoned leadership and innovative vision have been instrumental in advancing technology solutions and enhancing product portfolios.

His strategic oversight will ensure that Ivanti’s products not only meet but exceed the expectations of customers, driving sustained business growth and solidifying Ivanti’s position as a leader in the industry.

“Customer satisfaction is at the heart of everything we do,” Triebes added. “By focusing on innovation and maintaining a customer-centric approach, we can develop products that not only solve current challenges but also anticipate future needs. I am eager to lead Ivanti in this direction and contribute to the company’s continued success.”

Ivanti’s CEO, Dennis Kozak, stated, “We are delighted to welcome Karl to the Ivanti team. His extensive experience and proven track record in technology leadership make him the perfect fit for our organization. We are confident that under his guidance, Ivanti will continue to innovate and deliver exceptional solutions to our customers.”

About Ivanti

Ivanti breaks down barriers between IT and security so that Everywhere Work can thrive. Ivanti has created the first purpose-built technology platform for CIOs and CISOs – giving IT and security teams comprehensive software solutions that scale with their organizations’ needs to enable, secure and elevate employees' experiences. The Ivanti platform is powered by Ivanti Neurons - a cloud-scale, intelligent hyper automation layer that enables proactive healing, user-friendly security across the organization, and provides an employee experience that delights users. Over 35,000 customers, including 85 of the Fortune 100, have chosen Ivanti to meet challenges head-on with its end-to-end solutions. At Ivanti, we strive to create an environment where all perspectives are heard, respected and valued and are committed to a more sustainable future for our customers, partners, employees and the planet. For more information, visit www.ivanti.com and follow @GoIvanti.

Karl Triebes Joins Ivanti as Chief Product Officer

By staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.

The digital era has revolutionized how businesses operate, bringing unprecedented opportunities and challenges. Among the most pressing challenges are the ever-growing and sophisticated cyber threats. From crippling ransomware attacks to insidious phishing campaigns, organizations face a mounting need to defend their digital assets effectively.

In this complex landscape, threat detection, investigation, and response (TDIR) has become a cornerstone of modern cybersecurity. Unlike traditional, siloed approaches, TDIR integrates advanced technologies, skilled professionals, and well-defined processes into a unified framework. This holistic strategy empowers organizations to anticipate, identify, and address threats swiftly, fortifying both their security posture and operational resilience.

**Threat Detection: The First Line of Defense**

Cybersecurity begins with visibility — the ability to identify anomalies before they evolve into full-blown incidents. Threat detection serves as a digital sentinel, continuously monitoring systems for suspicious activities or deviations from the norm.

Take, for example, an instance where an employee's account starts downloading large volumes of sensitive data during non-business hours. While this may appear routine, sophisticated detection tools like security information and event management (SIEM) or endpoint detection and response (EDR) systems can flag such behavior as potentially malicious. These tools analyze vast amounts of data in real-time, enabling security teams to prioritize and respond to critical alerts.

**Real-World Applications of Threat Detection**

*   Phishing attacks: A SIEM solution identifies multiple failed log-in attempts from international IP addresses, signaling a targeted phishing campaign.
    
*   Ransomware: EDR platforms detect unusual file encryption patterns, catching ransomware in its early stages.
    
*   Insider threats: User and entity behavior analytics (UEBA) uncover unauthorized attempts to access sensitive files, potentially indicating insider malfeasance.
    

**Investigation: Unveiling the Bigger Picture**

Detection alone is not enough. Once a potential threat is identified, the investigation phase provides the context necessary to understand its origin, scope, and potential impact. This process is akin to piecing together a digital jigsaw puzzle to form a coherent narrative of the attack.

**Case Study**

A supply chain attack compromises an organization's network via a vulnerable third-party vendor. An investigation reveals that attackers exploited outdated software in the vendor's systems to gain unauthorized access.

During this phase, security teams leverage tools such as extended detection and response (XDR) platforms to correlate events, validate alerts, and construct a detailed timeline of the incident.

**Key Techniques in Threat Investigation**

*   Root cause analysis: Identifying vulnerabilities such as unpatched software or weak passwords.
    
*   Event correlation: Connecting seemingly unrelated events, such as unusual file transfers and login attempts, to reveal a coordinated attack.
    
*   Threat intelligence integration: Enriching investigations with external threat data to understand attacker tactics and methodologies.
    

**Response: Neutralizing the Threat**

The final phase of TDIR is response — an organized effort to contain, mitigate, and recover from the threat. The success of this phase hinges on speed, precision, and collaboration across teams.

**Example Scenario**

A university detects a ransomware attack encrypting files across its network. The incident response team acts swiftly to isolate infected systems, restore critical data from secure backups, and patch vulnerabilities exploited by the attackers. Post-incident, the university implements enhanced email filtering and endpoint protection to prevent future attacks.

**Key Response Strategies**

*   Containment: Isolating affected accounts or systems to limit the threat's impact.
    
*   Remediation: Eliminating malicious code, closing security gaps, and strengthening defenses.
    
*   Recovery: Restoring normal operations through reliable backups while leveraging lessons learned to refine future response protocols.
    

**The Value of TDIR in Modern Cybersecurity**

Organizations that adopt a comprehensive TDIR framework gain a competitive edge in cybersecurity. Here are some of the key benefits:

*   Enhanced visibility: Continuous monitoring across endpoints, networks, and cloud environments ensures a clear understanding of the security landscape.
    
*   Faster response times: Automated workflows and well-defined playbooks reduce the time taken to address incidents, minimizing damage.
    
*   Cost savings: Early detection and efficient response mechanisms lower the financial and reputational costs of breaches.
    
*   Regulatory compliance: A robust TDIR framework supports adherence to compliance standards like GDPR, HIPAA, and CCPA by ensuring effective threat management.
    

**TDIR in Action: Learning From Real-World Scenarios**

*   Healthcare data breach: A hospital responds to a ransomware attack by isolating compromised systems, restoring data from secure backups, and enhancing access controls to prevent recurrence.
    
*   Retail supply chain attack: A retailer mitigates a breach caused by a third-party vendor by implementing stronger third-party risk management practices and network segmentation.
    
*   Insider threat in banking: A financial institution uncovers unauthorized actions by an employee, leading to immediate corrective measures and stricter privileged access management.
    

**Proactive Defense Through TDIR**

In today's threat-filled digital landscape, TDIR is not merely a cybersecurity option — it's an imperative. By adopting a proactive, unified approach, organizations can build resilience against a diverse array of threats, from phishing and ransomware to insider attacks.

TDIR's strength lies in its integration of advanced technology, human expertise, and strategic processes, enabling organizations to navigate the evolving cyber threat landscape with confidence. As the battle against cybercrime continues, those who embrace TDIR will not only safeguard their operations but also strengthen their reputations and ensure long-term resilience.

By staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.

**About the Author**

Lead Engineer/IAM Architect, Paramount Global

Sameer Bhanushali is an experienced IAM Architect with more than 16 years of expertise in information security, identity and access management (IAM), cloud services, and system architecture. Recognized for his ability to lead end-to-end IAM initiatives, Sameer leverages cutting-edge technologies and industry best practices to design and implement tailored solutions for both on-premises and cloud environments.

Sameer has been instrumental in aligning technical strategies with organizational goals, optimizing system performance, and enhancing cybersecurity defenses throughout his career. His consultancy excellence across diverse sectors has consistently delivered scalable IAM solutions that drive business growth while ensuring robust security.

A holder of advanced IAM and cybersecurity certifications, Sameer excels in navigating complex cybersecurity challenges, strengthening security postures, and exploring innovative technologies to deliver transformative outcomes. His dedication to the field is reflected in his thought leadership and unwavering commitment to protecting sensitive information in an evolving threat landscape.

Strategic Approaches to Threat Detection, Investigation &amp; Response

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep…

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep up, businesses need to understand that while complex regulations may sound difficult to deal with; cybersecurity threats are the real danger to their credibility and success. Here are six strategies that showcase how the change in financial technology impacts expansion and security.

**1\. **Using Data Analytics for Smarter Security and Personalization****

Fintech companies have access to a treasure trove of user data, making data analytics a key to both innovation and security. Predictive analytics can detect fraud in real time by spotting unusual transaction patterns, while personalization algorithms offer customized financial solutions to users.

Take PayPal, for instance, which uses machine learning to track fraud attempts while ensuring seamless user experiences. By investing in platforms like Tableau or Splunk, companies can not only improve data-driven decisions but also strengthen their cybersecurity protection.

**2\. **Optimizing Customer Journeys Through AI and Automation****

Customer retention in fintech depends on efficient, user-friendly platforms. AI-driven Client Lifecycle Management (CLM) tools not only enhance customer experience but also fortify compliance with data protection laws like GDPR.

For example, automated KYC (Know Your Customer) processes can validate user identities within minutes, reducing conflict while maintaining security. Companies that leverage AI to simplify operations position themselves as leaders in convenience and trust, two critical factors in the digital financial world.

**3\. **Expanding Beyond Payments: Diversification in Fintech Offerings****

Successful fintech companies are moving beyond basic services like payments and lending to offer a wider range of products. Digital wallets, cryptocurrency trading, BNPL (Buy Now, Pay Later) options, and even ESG (Environmental, Social, and Governance)-focused investment tools are becoming standard offerings.

For instance, Square (now Block) transitioned from payment processing to include cash apps, crypto wallets, and merchant solutions. This diversification not only strengthens market positioning but also hedges against disruptions in individual sectors.

**4\. **Automating Security Protocols to Counter Cyber Threats****

While cybersecurity threats grow more sophisticated, automation in fintech security has become a necessity. Tools like automated anomaly detection, real-time threat intelligence, and AI-driven incident response systems ensure swift responses to breaches.

Take Stripe, which integrates advanced monitoring tools to detect and neutralize suspicious activity before it escalates. Automation in security protocols not only protects sensitive financial data but also boosts consumer confidence in the platform.

**5\. **Sustainability in Fintech: Balancing Growth with Responsibility****

The fintech sector is embracing sustainability through green technologies and ethical financial practices. Blockchain-based carbon credit platforms, eco-friendly payment cards, and renewable energy-backed investments are paving the way for a greener future.

Consider Mastercard’s sustainable card program, which uses biodegradable materials and supports reforestation initiatives. By integrating eco-conscious elements, fintech companies are appealing to the growing demographic of socially responsible consumers and investors.

**6\. **Risk Management with Predictive Technologies****

Managing risk (risk management) is critical in fintech, where markets and regulations can change overnight. Predictive technologies like machine learning are revolutionizing risk management by identifying vulnerabilities before they become liabilities.

For example, Robinhood employs real-time analytics to manage liquidity risks and safeguard user assets during volatile market conditions. This approach not only ensures operational stability but also reinforces trust in the brand.

The worlds of technology and finance are changing like never before, with advancements in AI, blockchain, and sustainable solutions building the future of fintech. By using data-driven security, improving operations through automation, and focusing on sustainable practices, companies can remain competitive. For fintech firms, the message is clear: innovate, adapt, and protect your operations, or risk falling behind.

1.  **Cybersecurity, Big Data and Automation Tools**
2.  **Top 9 Compliance Automation Software in 2024**
3.  **Fortifying FinTech: Building Resilient APIs for Security**
4.  **Digital Transformation in Financial Industry: The Role of Fintech**
5.  **Blockchain and Smart Contracts in Securing Digital Transactions**

Top/Featured Image via Marvin Meyer/Unsplash

6 Strategic Innovations Transforming the Fintech Industry

US president Joe Biden just issued a 40-page executive order that aims to bolster federal cybersecurity protections, directs government use of AI—and takes a swipe at Microsoft’s dominance.

Four days before he leaves office, US president Joe Biden has issued a sweeping cybersecurity directive ordering improvements to the way the government monitors its networks, buys software, uses artificial intelligence, and punishes foreign hackers.

The 40-page executive order unveiled on Thursday is the Biden White House’s final attempt to kickstart efforts to harness the security benefits of AI, roll out digital identities for US citizens, and close gaps that have helped China, Russia, and other adversaries repeatedly penetrate US government systems.

The order “is designed to strengthen America’s digital foundations and also put the new administration and the country on a path to continued success,” Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technology, told reporters on Wednesday.

Looming over Biden’s directive is the question of whether president-elect Donald Trump will continue any of these initiatives after he takes the oath of office on Monday. None of the highly technical projects decreed in the order are partisan, but Trump’s advisers may prefer different approaches (or timetables) to solving the problems that the order identifies.

Trump hasn’t named any of his top cyber officials, and Neuberger said the White House didn’t discuss the order with his transition staff, “but we are very happy to, as soon as the incoming cyber team is named, have any discussions during this final transition period.”

The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents—namely, the security failures of federal contractors.

The order requires software vendors to submit proof that they follow secure development practices, building on a mandate that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with double-checking these security attestations and working with vendors to fix any problems. To put some teeth behind the requirement, the White House’s Office of the National Cyber Director is “encouraged to refer attestations that fail validation to the Attorney General” for potential investigation and prosecution.

The order gives the Department of Commerce eight months to assess the most commonly used cyber practices in the business community and issue guidance based on them. Shortly thereafter, those practices would become mandatory for companies seeking to do business with the government. The directive also kicks off updates to the National Institute of Standards and Technology’s secure software development guidance.

Another part of the directive focuses on the protection of cloud platforms’ authentication keys, the compromise of which opened the door for China’s theft of government emails from Microsoft’s servers and its recent supply-chain hack of the Treasury Department. Commerce and the General Services Administration have 270 days to develop guidelines for key protection, which would then have to become requirements for cloud vendors within 60 days.

To protect federal agencies from attacks that rely on flaws in internet-of-things gadgets, the order sets a January 4, 2027, deadline for agencies to purchase only consumer IoT devices that carry the newly launched US Cyber Trust Mark label.

Another part of the order boosts CISA’s ability to watch for cyberattacks across the government by tapping into the security software that other agencies operate. It’s an attempt to reduce visibility gaps that adversaries have successfully exploited in many intrusions, especially the 2020 SolarWinds hack. The order requires agencies to give CISA direct access to their security platforms and to allow CISA to conduct unannounced threat-hunting activities on their networks.

“If we find one particular technique that a foreign government is using to hack one particular federal agency,” Neuberger said, “this now … gives CISA centralized visibility to hunt across all agency systems to ensure we're defending against this attack broadly.”

The security risks and opportunities of AI play a major role in the executive order. The document directs the departments of Energy and Homeland Security to launch a pilot program to use AI to help protect energy infrastructure, with the goal of automating things like vulnerability detection and patching. The Defense Department would have to launch a program to use “advanced AI models” for cyber defense.

Biden also wants DHS, Commerce, and the National Science Foundation to prioritize research on topics like how humans and AI tools can coordinate to analyze cyber threat data, how to ensure the security of AI-generated code, how to design secure AI models, and how to prevent and recover from cyber incidents involving AI systems.

Biden’s order attempts to expedite agencies’ use of digital identity documents to streamline citizen services and reduce waste and fraud. The directive asks agencies to “consider accepting digital identity documents” as proof of eligibility for public benefits. Commerce would have 270 days to issue guidance to help agencies do so.

Other provisions in the executive order require government recommendations for securing open-source software; updates to cyber requirements in contracts for space systems; contracting changes to ensure that new technology supports post-quantum cryptography; and the use of encryption in DNS technologies, email systems, and voice and video conferencing platforms. There is also a provision requiring OMB to help agencies reduce risks associated with concentration in the IT market—a not-so-veiled shot at Microsoft.

The order also lowers the bar for the government to be able to sanction people who launch cyberattacks on US critical infrastructure, potentially easing barriers to deploying one of Washington’s favorite responses to major hacks.

A New Jam-Packed Biden Executive Order Tackles Cybersecurity, AI, and More

"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

Source: DD Images via Shutterstock

North Korea's Lazarus threat group has launched a fresh wave of attacks targeting software developers, using recruitment tactics on job-hiring platforms. This time, the group is using job postings on LinkedIn to lure freelance developers in particular into downloading malicious Git repositories; these contain malware for stealing source code, cryptocurrency, and other sensitive data.

The SecurityScorecard STRIKE team on Jan. 9 discovered the ongoing attack, dubbed Operation 99, in which attackers pose as recruiters to entice the developers with project tests or code reviews, the researchers revealed in a report (PDF) published today.

"Victims are tricked into cloning malicious Git repositories that connect to a command-and-control (C2) server, initiating a series of data-stealing implants," according to the post.

Attackers are using various payloads that work across Windows, macOS, and Linux in the campaign, using a layered malware delivery system with modular components that adapt to different targets. Downloaders such as Main99 retrieve and execute payloads that include Payload 99/73, brow99/73, and MCLIP, which perform tasks like keylogging, clipboard monitoring, file exfiltration from development environments, and browser credential theft.

Related:Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

The malware also steals from application source code, secrets and configuration files, and cryptocurrency-related assets such as wallet keys and mnemonics, according to the researchers. The latter are used to facilitate direct financial theft, furthering Lazarus' goals to fund the regime of North Korean leader Kim Jong Un.

"By embedding the malware into developer workflows, the attackers aim to compromise not only individual victims, but also the projects and systems they contribute to," according to the report.

**North Korea's History of Targeting Developers**

The campaign builds on previous tactics by the group to target developers with various malware, including 2021's Operation Dream Job, in which the group sent fake job offers to specific organizational targets. When opened, they installed Trojan programs to collect information and send it back to the attackers.

Lazarus' long history of using the technology job market to target victims also includes another campaign called DEV#POPPER, which targeted software developers worldwide for data theft by having attackers pose as recruiters for nonexistent jobs.

North Korean threat groups also have turned the tables and used their own cyber spies to infiltrate global organizations for cyber espionage. The now-infamous case of security firm KnowBe4 accidentally hiring a North Korean hacker shows how convincing these campaigns can be.  

Related:Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

While a Department of Justice operation in May disrupted North Korea's widespread IT freelance operation with the indictment of several people for helping state-sponsored actors establish fake freelancer identities and evade sanctions, the latest campaign demonstrates that Lazarus remains undaunted.

Amid all this, the new campaign shows an evolution in tactics, the researchers said.

"In this instance, Lazarus is demonstrating a higher level of sophistication and focus compared to previous campaigns," says Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. These include using AI-generated profiles to pose as recruiters that appear highly authentic and realistic, "enabling them to effectively deceive victims," he adds.

"By presenting complete and convincing profiles, they offer what seem to be genuine job opportunities to developers," Sherstobitoff says. In some cases, Lazarus even compromises existing LinkedIn accounts to lend heft to their credibility, he adds.

The group also is employing more advanced techniques for obfuscation and encryption, making their malicious activities significantly more difficult to detect and analyze, Sherstobitoff says.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

**Job Seekers, Exercise Caution**

Indeed, as these campaigns become more sophisticated through the use of AI and advanced social engineering, it's becoming "easier for attackers to gain the confidence of their targets, demonstrating a significant evolution in the level of precision and realism in their campaigns," Sherstobitoff says.

For this reason, mitigation strategies "should fundamentally center around reinforcing social engineering awareness and adhering to the basics of cybersecurity for everyday employees," he says. As a general rule, if a job offer or opportunity seems too good to be true, it likely is, and "should be approached with skepticism," Sherstobitoff says.

"Employees also should exercise extreme caution when interacting with recruiters, particularly if asked to download files, clone repositories, or engage with unfamiliar software," especially over platforms like LinkedIn or email, he says. "These channels can be easily manipulated by attackers posing as legitimate entities."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Lazarus APT Evolves Developer-Recruitment Attacks

Ultimately, there is no replacement for an intuitive, security-focused developer working with the critical thinking required to drive down the risk of both AI and human error.

Matias Madou, Co-Founder & CTO, Secure Code Warrior

January 15, 2025

5 Min Read

Source: Nils Ackermann via Alamy Stock Vector

COMMENTARY

The advent of artificial intelligence (AI) coding tools undoubtedly signifies a new chapter in modern software development. With 63% of organizations currently piloting or deploying AI coding assistants into their development workflows, the genie is well and truly out of the bottle, and the industry must now make careful moves to integrate it as safely and efficiently as possible.

The OWASP Foundation has long been a champion of secure coding best practices, providing extensive coverage on how developers can best defend their codebases from exploitable vulnerabilities. Its recent update to the OWASP Top 10 for Large Language Model (LLM) Applications reveals the emerging and most potent threats perpetuated by AI-generated code and generative AI (GenAI) applications, and this is an essential starting point for understanding and mitigating the threats likely to rear their ugly heads. 

We must focus on integrating solid, foundational controls around developer risk management if we want to see more secure, higher quality software in the future, not to mention make a dent in the flurry of global guidelines that demand applications are released that are secure by design.

**The Perilous Crossover Between AI-Generated Code and Software Supply Chain Security**

Prompt Injection's ranking as the No. 1 entry on the latest OWASP Top 10 was unsurprising, given its function as a direct natural language command telling the software what to do (for better or worse). However, Supply Chain Vulnerabilities, which have a much more significant impact at the enterprise level, came in at No. 3. 

OWASP's advice mentions several attack vectors comprising this category of vulnerability, elements such as implementing pretrained models that are also precompromised with backdoors, malware and poisoned data, or vulnerable LoRA adapters that, ironically, are used to increase efficiency, but can, in turn, compromise the base LLM. These present potentially grave, widespread exploitable issues that can permeate the whole supply chain in which they are used.

Sadly, many developers are not skill- and process-enabled enough to navigate these problems safely, and this is even more apparent when assessing AI-generated code for business logic flaws. While not specifically listed as a category, as is apparent in OWASP’s Top 10 Web Application Security Risks, this is partly covered in No. 6, Excessive Agency. Often, a developer will vastly overprivilege the LLM for it to operate more seamlessly, especially in testing environments, or misinterpret how real users will interact with the software, leaving it vulnerable to exploitable logic bugs. These, too, affect supply chain applications and, overall, require a developer to apply critical thinking and threat modeling principles to overcome them. Unchecked AI tool use, or adding AI-powered layers to existing codebases, adds to the overall complexity and is a significant area of developer-driven risk.

**Data Exposure Is a Serious Concern Requiring Serious Awareness**

Sensitive Information Disclosure is second on the new list, but it should be a chief concern for enterprise security leaders and development managers. As OWASP points out, this vector can affect both the LLM itself and its application context, leading to personally identifiable information (PII) exposure, and disclosure of proprietary algorithms and business data.

The nature of how the technology operates can mean that exposing this data is as simple as using cunning prompts rather than actively "hacking" a code-level vulnerability, and "the grandma exploit" is a prime example of sensitive data being exposed due to lax security controls over executable prompts. Here, ChatGPT was duped into revealing the recipe for napalm when prompted to assume the role of a grandmother reading a bedtime story. A similar technique was also used to extract Windows 11 keys. 

Part of the reason this is made possible is through poorly configured model outputs that can expose proprietary training data, which can then be leveraged in inversion attacks to eventually circumvent the security controls. This is a high-risk area for those who are feeding training data into their own LLMs, and the use of the technology requires companywide, role-based security awareness upskilling. The developers building the platform must be well-versed in input validation and data sanitization (as in, these skills are verified and assessed before they can commit code), and every end user must be trained to avoid feeding sensitive data that can be spat out at a later date.

While this may seem trivial on a small scale, at the government or enterprise level, with the potential for tens of thousands of employees to inadvertently participate in exposing sensitive data, it's a significant expansion of an already unwieldy attack surface that must be addressed.

**Are You Paying Attention to Retrieval-Augmented Generation (RAG)?**

Perhaps the most notable new entry in the 2025 list is featured at No. 8, Vector and Embedding Weaknesses. With enterprise LLM applications often utilizing RAG technology as part of the software architecture, this is a vulnerability category to which the industry must pay close attention.

RAG is essential for model performance enhancement, often acting as the "glue" that provides contextual cues between pre-trained models and external knowledge sources. This is made possible by implementing vectors and embeddings, but if they are not implemented securely they can lead to disastrous data exposure, or pave the way for serious data poisoning and embedding inversion attacks. 

A comprehensive understanding of both core business logic and least-privilege access control should be considered a security skills baseline for developers working on internal models. However, realistically, the best-case scenario would involve utilizing the highest-performing, security-skilled developers and their AppSec counterparts to perform comprehensive threat modeling and ensure sufficient logging and monitoring.

As with all LLM technology, while this is a fascinating emerging space, it should be crafted and used with a high level of security knowledge and care. This list is a powerful, up-to-date foundation for the current threat landscape, but the environment will inevitably grow and change quickly. The way in which developers create applications is sure to be augmented in the next few years, but ultimately, there is no replacement for an intuitive, security-focused developer working with the critical thinking required to drive down the risk of both AI and human error.

**About the Author**

Co-Founder & CTO, Secure Code Warrior

Matias Madou is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company, Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences, including RSA Conference, Black Hat, DEF CON, BSIMM, OWASP AppSec, and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

OWASP's New LLM Top 10 Shows Emerging AI Threats

Lilith >_> of Cisco Talos discovered these vulnerabilities. 
Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.  
The Wavlink AC3000 wireless router is one of the

Wednesday, January 15, 2025 08:00

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._ 

Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.  

The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. 

Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy. Wavlink has declined to release a patch for these vulnerabilities.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

**Static login vulnerability **

An attacker can send a specially crafted set of network packets over WAN to gain root access to the router via the wcrtrl service and static login credentials.  

Static Login 

*   TALOS-2024-2034 (CVE-2024-39754): Static login 

**Ten .cgi vulnerabilities **

An unauthenticated HTTP request can trigger the following types of vulnerabilities: 

touchlist\_sync.cgi 

*   TALOS-2024-1999 (CVE-2022-2488): Arbitrary code execution 
*   TALOS-2024-2000 (CVE-2024-34166): Command injection 
*   TALOS-2024-2046 (CVE-2024-36258): Buffer overflow  

Login.cgi 

*   TALOS-2024-2017 (CVE-2024-39363): Persistent XXS 
*   TALOS-2024-2018 (CVE-2024-39759-CVE-2024-39761): Command injection 
*   TALOS-2024-2019 (CVE-2024-36290): Buffer overflow  
*   TALOS-2024-2036 (CVE-2024-39608): Unauthenticated firmware upload  

internet.cgi 

*   TALOS-2024-2020 (CVE-2024-39762-CVE-2024-39765): Command injection 
*   TALOS-2024-2021 (CVE-2024-39288): Buffer overflow 
*   TALOS-2024-2022 (CVE-2024-39768-CVE-2024-39770): Buffer overflow  

firewall.cgi 

*   TALOS-2024-2023 (CVE-2024-39367): Command injection  

adm.cgi 

*   TALOS-2024-2024 (CVE-2024-39756): Buffer overflow 
*   TALOS-2024-2025 (CVE-2024-37184): Buffer overflow 
*   TALOS-2024-2026 (CVE-2024-39294): Buffer overflow 
*   TALOS-2024-2027 (CVE-2024-39358): Buffer overflow 
*   TALOS-2024-2028 (CVE-2024-21797): Command injection 
*   TALOS-2024-2029 (CVE-2024-37357): Buffer overflow 
*   TALOS-2024-2030 (CVE-2024-39774): Buffer overflow 
*   TALOS-2024-2031 (CVE-2024-39370): Arbitrary code execution 
*   TALOS-2024-2032 (CVE-2024-37186): OS command injection 
*   TALOS-2024-2033 (CVE-2024-39781-CVE-2024-39783): OS Command injection 

wireless.cgi 

*   TALOS-2024-2039 (CVE-2024-39357): Buffer overflow 
*   TALOS-2024-2040 (CVE-2024-39359): Buffer overflow 
*   TALOS-2024-2041 (CVE-2024-36493): Buffer overflow 
*   TALOS-2024-2042 (CVE-2024-39603): Buffer overflow 
*   TALOS-2024-2043 (CVE-2024-39757): Buffer overflow 
*   TALOS-2024-2044 (CVE-2024-34544): Command injection 

usbip.cgi 

*   TALOS-2024-2045 (CVE-2024-36272): Buffer overflow 

qos.cgi 

*   TALOS-2024-2047 (CVE-2024-36295): Command injection 
*   TALOS-2024-2048 (CVE-2024-39299): Buffer overflow 
*   TALOS-2024-2049 (CVE-2024-39801-CVE-2024-39803): Buffer overflow 

openvpn.cgi 

*   TALOS-2024-2050 (CVE-2024-39798-CVE-2024-39800): Configuration control 
*   TALOS-2024-2051 (CVE-2024-38666): Configuration control 

nas.cgi 

*   TALOS-2024-2052 (CVE-2024-39602): Configuration control 
*   TALOS-2024-2053 (CVE-2024-39793-CVE-2024-39795): Configuration control 
*   TALOS-2024-2054 (CVE-2024-39360): Command injection 
*   TALOS-2024-2055 (CVE-2024-39280): Configuration control 
*   TALOS-2024-2056 (CVE-2024-39788-CVE-2024-39790): Configuration control 
*   TALOS-2024-2057 (CVE-2024-39786-CVE-2024-39787): Directory traversal 
*   TALOS-2024-2058 (CVE-2024-39784-CVE-2024-39785): Command injection 

**Three .sh vulnerabilities **

Attackers can send specially crafted HTTP requests. A man-in-the-middle attack can trigger the fw\_check.sh and update\_filter\_url.sh vulnerabilities. 

testsave.sh 

*   TALOS-2024-2035 (CVE-2024-39773): Firmware update 

fw\_check.sh 

*   TALOS-2024-2037 (CVE-2024-39273): Firmware upload  

update\_filter\_url.sh 

*   TALOS-2024-2038 (CVE-2024-39604): Argument injection

Slew of WavLink vulnerabilities

CVE-2024-44243, a critical macOS vulnerability discovered recently by Microsoft, can allow attackers to bypass Apple’s System Integrity Protection…

CVE-2024-44243, a critical macOS vulnerability discovered recently by Microsoft, can allow attackers to bypass Apple’s System Integrity Protection (SIP). Learn how this vulnerability can be exploited and how to protect your devices from this threat.

A recently discovered macOS vulnerability tracked as CVE-2024-44243, has raised alarms for jeopardizing the security of Apple devices. This vulnerability, uncovered by Microsoft Threat Intelligence, allows attackers to circumvent Apple’s robust System Integrity Protection (SIP) mechanism.

****How Does It Work?****

The flaw is found in the Storage Kit daemon, allowing local attackers with root privileges to exploit low-complexity attacks. According to Microsoft’s technical blog, shared with Hackread.com, CVE-2024-44243 exploits a weakness in the macOS storage management system. By leveraging the “storagekitd” daemon, attackers can potentially load third-party kernel extensions, bypassing the strict controls imposed by SIP.  

****What are the Implications?****

System Integrity Protection (SIP) is a crucial cybersecurity measure for macOS systems, protecting against malware and attackers. Bypassing it can significantly compromise the system’s security, Microsoft noted. Such as, attackers can install malicious software at the kernel level, and gain deep access to the system and data.

Moreover, malicious software can establish a persistent presence on the system, making it difficult to remove and potentially enabling future attacks. Also, attackers could bypass TCC (Transparency, Consent, and Control), Apple’s privacy framework, allowing unauthorized access to user data and sensitive information.  The vulnerability creates a wider attack surface, enabling attackers to exploit other vulnerabilities and escalate their privileges.

****Mitigating the Threat****

Apple has released security updates to address CVE-2024-44243. All macOS users must update their systems to the latest version to patch this vulnerability.

Microsoft’s responsible disclosure to Apple and their joint efforts to address this threat highlights the importance of shared knowledge and coordinated action in safeguarding user security. 

While we focus on patching vulnerabilities to protect ourselves from cyberattacks, it is important to remember that social engineering scams remain a prevalent threat. 

A recent campaign discovered by Group-IB targeted Apple iOS and Android users with fake trading apps. These apps were designed to steal from unsuspecting cryptocurrency investors. Therefore, staying informed about the latest threats, practicing safe online habits, and keeping software updated, are essential to minimize cybersecurity risks.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) commented on this stating, _“_This exposes the entire operating system to deeper compromise without needing physical access, threatening sensitive data and system controls._“_ 

“Security teams should ensure macOS systems are patched with the latest updates, closely monitor for unusual disk management or privileged process behaviour, and implement endpoint detection tools that watch for unsigned kernel extensions,“ Jason explained. _“_Regular integrity checks, principle-of-least-privilege policies, and strict compliance with Apple’s security guidelines further reduce exposure to this critical threat._“_

Tag

#intel